One point to make here is that by reaching the DP target, SSC would likely be considered “Advanced” in the Healthcare context because of the generally poor standards that exist in Irish Healthcare sector.The improved governance of Information will contribute to improvements in data quality as a by-product of care and attention.
This is akin to not having a fire drill and not having a hygiene policy. A process must be defined that ensures the organisation not only can tick the box of having a policy but can effectively execute the process and procedures should an incident happen.You do not wait for a fire before figuring out how to evacuate the building and who is responsible for doing what.
Policies, Procedures, Metrics and Evidence are very important and will align with objectives under other Quality Assurance criteria.
Medical Clinic - Daragh O Brien
Medical ClinicData Protection & Data Quality Review
Agenda• Background and Overview• Summary of Report Findings – Maturity Ranking – The Good (Things to be commended) – The Bad (Issues causing concern) – The Ugly (Serious Compliance issues/risks)• Recommendations
Context• Data Protection Compliance = Risk – Risk to Trust – Risk to Revenue – Risk to Brand• Data Quality Issues = Cost + Risk – Risk of wrong treatment – Risk of underutilised resources – Cost of checking and rechecking data
The MethodologyFace to Face Qualitative InterviewsObservations made while on-siteResearch & Review of Best Practice
Summary of FindingsSome good things found.12 areas of concern/weakness6 critical risks to Compliance found
Maturity Assessment Value Centric Management Optimising State of the Art Practices & Outcomes Information Value quantified and communicated Advanced Practices and outcomes well above industry average Interactions formalised for critical processesData Protection Target Intermediate Transparent Investment Decisions Basic IT Services being delivered Basic Some interactions/processes formalisedData Protection Maturity No formal processes Initial Ad hoc Management Based on IVI IT-CMF framework
CRITICAL RISKS Data Controller (??) Data Processor (??)
Critical Risks Patient file: Mr Smith• Patient data being transferred by email without encryption/security• Email forwarding to external services a concern
CRITICAL RISKNo defined Data Security Breach Process
CRITICAL RISK Personal and Sensitive Personal data being managed and transferred in Spreadsheets
CRITICAL RISK Little or no segregation of inbound and outbound patient data
CRITICAL RISKRegistry Entry for Hospital with DPC is inaccurate
Compliance Issues Classification/Categorisation of InformationNo Formal Governance framework for Data Policies/Procedures/Process • Absent or poorly defined • May not reflect DP Obligations
Compliance Issues No training in Data Protection No consistency in formal training in systems – a lot of ‘informal’ learning The absence of “role based” access to personal data in systems is a concern
Compliance Issues No verifiable evidence of good behaviours being followedNo formal or consistent “Leavers/Movers”process to restrict access to records CCTV Signage does not meet DPA requirements
12 Step Plan Governance & Policy Issues Training and AwarenessTechnical & Technology Issues
Governance Issues Formalise Data Controller/DataProcessor Relationships Implement formal Define appropriate Information Governance Policies, Procedures & Metrics Review appropriateness of email forwarding. Define Leaver/Movers Define clear policyprocess to encompass allsystems and manual data Conduct Audit of Manual Data Storage/Disposal Review existing (Clean Desk Policies) Disclosure policies to ensure DPA requirements met.
Technology Issues Implement Role basedaccess to electronic data (where possible) Implement Segregation between “Data In” and “Data Out” Inspect Data Redundancy (e.g. Spreadsheets)Assess need and secure Review existing Disclosure policies to ensure DPA requirements met.
Training & Awareness Issues Implement Training on DP/DQ to key target audiences Coupled with the roll out and implementation of Training, we would recommend that supporting activities be developed to help make culture change stick e.g.: • “Story” development to lock in the learning • Internal Communication plans • Continuous Improvement
Governance Model 1 Advisory External Expert Chair CEO Consultants (DPO) HR IT Information Governance Bus Steering Group Patient Svcs Apps JCI Nursing Radiology Finance
Governance Model 2 Chair External CEO Expert Consultants (DPO) HR IT Information Governance Bus Steering Group Patient Svcs Apps JCI Nursing Radiology Finance
Governance Model 3 External Expert Bus Apps Consultants (DPO) IT HR Information Governance CEO Steering Group Patient Svcs JCI Nursing Radiology Finance Effective Model for Project ManagementLeast Preferred Option for on-going Governance
Evolving from Excellent Project to Effective Governance Project GovernanceGovernance Model 1 Governance Model 2 Governance Model 3 Project Execution Transition & Bed-in Operational & Effective
Summary1. Ensure all staff know WHAT needs to be done – (Policies, Procedures & Training)2. Ensure all staff know WHY it needs to be done – (Culture change, align with values)3. Ensure all staff know HOW it needs to be done – Governance, Policies, Training)4. Ensure all staff know WHO is doing it – (Governance, Policies, Contractual issues)5. Ensure the Clinic can demonstrate THAT IT HAS been done – (Metrics, Governance, Reporting)
In conclusion.... Best efforts are essential. Unfortunately, best efforts, people charging this way and that way without the guidance of principles, can do a lot of damage.W. Edwards Deming Think of the chaos that would come Out of the Crisis if everyone did his best, not knowing what to do.